Problem connecting to 0365 tenant

[serano...@gmail.com]

Hi Guys.

I'm trying to set up a connection between my wazuh 4.3.5 node and my o365 tenant, i've followed the steps from this tutorial:

https://documentation.wazuh.com/current/office365/monitoring-office365-activity.html#office-365-api-requirements

i've set up the application and get the data(attachment1)

i've configured the secret(attch2)

i've set up the correct permisison(attch3)

i've put all togheter and restart the manager:

<office365>
    <enabled>yes</enabled>
    <interval>10s</interval>
    <curl_max_size>10M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>1dc064f4-***************************</tenant_id>
        <client_id>57fd6c00-***************************</client_id>
        <client_secret>rV.8Q***************************</client_secret>
    </api_auth>
    <subscriptions>
        <subscription>Audit.AzureActiveDirectory</subscription>
    </subscriptions>
</office365>

but when go to check logs on ossec.log, this error pop up:

Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant 1dc064f4-.............................. does not exist

i don't get what i'm doing wrong.

Thanks if you could help, have a nice day.

[Lucio Donda]

Hi Stefano, thanks for using wazuh!
Indeed that looks correct from our side.
Have you checked if that error persists even if you disable office365 monitoring? Because it looks like an error from outside wazuh.
I've found this in a quick search but I don't know if that may help you.
Besides that error on the logs could you share with us some lines before and after, maybe we could find some info there.
Thanks in advance!

[Stefano Serano]

Hi Lucio.

Thanks for your reply.

I've checked your link and as soon i've readed i've enabled the feature, but an hour and half later still same issue. i share with you the entire error:

wazuh-modulesd:office365: WARNING: Sending Office365 internal message: '{"integration":"office365","office365":{"actor":"wazuh","tenant_id":"1dc064f4-0000-00000--00000-000","subscription_name":"Audit.AzureActiveDirectory","response":"{\"error\":{\"code\":\"StartSubscription [CorrId=f72295da-12f2-4bc9-9acc-c2f40f757bef][TenantId=57fd6c00-000-000-000-000-00,ContentType=Audit.AzureActiveDirectory,ApplicationId=57fd6c00-000-000-00-000-,PublisherId=00000000-0000-0000-0000-000000000000][AppId\",\"message\":\"7fd6c00-23eb-4907-80f0-8af767823072] failed. Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant 1dc064f4-0000-00000-00000-00000 does not exist.\\r\\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetSubscriptionTableClientForTenantAsync>d__52.MoveNext() in k:\\\\dbs\\\\sh\\\\nibr\\\\0907_223511_0\\\\cmd\\\\i\\\\sources\\\\dev\\\\auditing\\\\src\\\\auditapiservice\\\\common\\\\AzureManager.cs:line 2116\\r\\n--- End of stack trace from previous location where exception was thrown ---\\r\\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\r\\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\\r\\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetAPISubscriptionAsync>d__22.MoveNext() in k:\\\\dbs\\\\sh\\\\nibr\\\\0907_223511_0\\\\cmd\\\\i\\\\sources\\\\dev\\\\auditing\\\\src\\\\auditapiservice\\\\common\\\\AzureManager.cs:line 550\\r\\n--- End of stack trace from previous location where exception was thrown ---\\r\\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\r\\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\\r\\n   at Microsoft.Office.Compliance.Audit.API.StartController.<StartSubscription>d__0.MoveNext() in k:\\\\dbs\\\\sh\\\\nibr\\\\0907_223511_0\\\\cmd\\\\b\\\\sources\\\\dev\\\\auditing\\\\src\\\\auditapiservice\\\\apifrontendservicerole\\\\Controllers\\\\StartController.cs:line 76\"}}"}

a question, makes the kind of query need a particular Office/Azure License(like Azure AD Premium P1 o P2) like i need to use the Graph query of logins log? 

Have a nice day

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/8wqgFX_zbFo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a0a80cbd-0fa5-4bfc-a7e2-ce0d6054b56en%40googlegroups.com.

[Lucio Donda]

Hi Stefano,
Regarding License, there's no clear documentation from the MIcrosoft side, so I wouldn't think it could be an issue.
There's only 1 attachment on the first mail, have you double-checked all the values inserted, specially client-secret and tenant.
Does the module have admin permissions?
Another thing I have read is that it needs some time after you setup the unified auditing. Maybe some hours, others say an entire day.

Let me know how it goes.

[Stefano Serano]

Hi Lucio

now it works, need to wait till the next morning after enable audit events, but now is all fine.

Thanks for your support, have a nice day 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0183fde4-ceee-4b36-b00b-09d587497b61n%40googlegroups.com.

[Lucio Donda]

Awesome, glad to hear that!